I have a dedicated server, on this server i have two vhosts. and i will give the access of the server to two people. In my php file there's the database password and i don't want to share that with them.
So how can i protect the php file from reading? If i do a chmod 700 apache2 can not read and the page is "Forbidden".
Thanks and good night

2 Answers
2

In order to use the data, it must be readable by the webserver uid - which means that anyone whom can deploy PHP code on the server can read the files. This is true of all web programming languages.

PHP is unusual in that it does provide mechanisms for partitioning shared access on a webserver

by use of the open_basedir directive - you just need to configure different directory trees according to access - and set up seperate database accounts with the relevant credentials stored in the separate environments - and configure the security at the database tier.

Alternatively you can use suPHP to restrict access based on a virtual user - when a PHP script runs, it does so with the uid/gid of the PHP script. Again you need separate database accounts with different privileges to control data access.

Word of warning: open_basedir has historically been anything but waterproof. Functions such as Curl or IMAP functions do not necessarily obey open_basedir restrictions and will bypass them happily. It's a nice bit of security but at least in the past it was easy to get around.
–
Janne PikkarainenNov 1 '11 at 10:34

At one point it was possible to read any file accessible for the user running the PHP script with imap_open(), imap_body() and imap_list(). Granted, this was many years ago, but still a good warning about the weaknesses in open_basedir. Considering the vast amounts of PHP modules and functions there are, the chances are many of them are still vulnerable even though things have gotten lots better.
–
Janne PikkarainenNov 1 '11 at 11:27